Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 26 October 2023, the UK Economic Crime and Corporate Transparency Act (the “Act”) received Royal Assent, introducing into UK law the long-awaited corporate “failure to prevent fraud” offence. The Act has had an eventful journey through parliament, generating much debate between the House of Commons and House of Lords, particularly as to the size of organisation to be in scope of the new corporate offence.
The new offence will largely follow the failure to prevent model which exists in relation to bribery (in the Bribery Act 2010) and the facilitation of tax evasion (in the Criminal Finances Act 2017). Under the Act, it will be an offence for a large company to fail to prevent fraud by a person associated with it. The offence will be one of strict liability, the only defence available to an organisation will be that it had in place reasonable procedures to prevent the misconduct.
The Act makes provision for a number of other important changes to UK law in respect to economic crime. Most notably (and separately to the new offence), the Act also widens how criminal liability can be attributed to a company in respect to specific economic crime offences. This now significantly expands the long established “identification principle” which previously meant that only the most senior corporate officers could bind the company, acting as its directing mind and will. In practice this usually meant a member of the C suite or Board. The Act now introduces corporate criminal liability based on the attribution of the liability of senior managers to the company. The impact of this is likely to be far greater than the introduction of the failure to prevent fraud offence and we will be looking at this in more detail in the weeks to come.
Under the Act, a company which is a large organisation is guilty of an offence if a person who is associated with the company commits a fraud offence intending to benefit (whether directly or indirectly) the company, or those to whom the associated person provides services on behalf of the company.
Taking a closer look at the key elements of the offence:
A company means a body corporate or a partnership (wherever incorporated or formed), but it must be a “large organisation”, defined as those which fulfil two out of the three following criteria:
More than 250 employees.
More than £36 million turnover.
More than £18 million in total assets.
If resources held across a parent company and its subsidiaries cumulatively meet the size threshold, that group of companies will be in scope of the failure to prevent fraud offence. Liability can be attached to whichever individual entity within the group was directly responsible for failing to prevent the fraud.
For the purposes of the offence, a person is associated with the company if the person is:
an employee, agent or subsidiary of the company; or
an employee of a subsidiary of the company; or
otherwise performs services for or on behalf of the company.
Whether or not a person performs services for or on behalf of the company will be fact-specific and will be determined by reference to all the relevant circumstances and not merely by reference to the nature of the relationship between them. As with the bribery and tax offences, this means a company can be liable for misconduct by, e.g., self-employed or contracted agency workers alongside permanent employees.
The definition casts a wide net over potential persons for whose misconduct the company may ultimately be liable – wider than the definition of associated person in the failure to prevent offences relating to bribery and facilitation of tax evasion. For example, under these earlier offences, a subsidiary is caught “if it performs services for or on behalf of” its parent. Conversely, there is no such qualification for the failure to prevent fraud offence, which catches any subsidiary - and employees of subsidiaries.
Relevant fraud offences include those offences listed below - or aiding, abetting, counselling or procuring the commission of a listed offence:
False accounting (Theft Act 1968)
False statements by company directors (Theft Act 1968)
Fraud - which includes fraud by false representation, fraud by failing to disclose information, and fraud by abuse of position (Fraud Act 2006)
Participating in fraudulent business carried on by sole trader (Fraud Act 2006)
Obtaining services dishonestly (Fraud Act 2006)
Fraudulent trading (Companies Act)
Cheating the public revenue (common law)
The list of offences may also be updated through secondary legislation.
Corporate criminal liability attaches where the associated person (through their misconduct) intends to benefit, whether directly or indirectly:
the company, or
any person to whom the associated person provides services on behalf of the company (i.e. clients and customers) unless the company itself was, or was intended to be, a victim of the fraud.
Intention will be ascertained by evidence of the state of mind of the associated person at the material time.
Note that where the associated person is a subsidiary’s employee, the requirement for intended benefit is narrower and the failure to prevent fraud offence is only committed by the parent company if the employee intended to benefit the parent company, directly or indirectly.
A company will have a defence if it can demonstrate that it had in place such prevention procedures as it was reasonable in all the circumstances to expect it to have - or it was not reasonable in all the circumstances to expect it to have any such procedures in place (e.g. where the risk of fraud is extremely low).
Prevention procedures are procedures designed to prevent persons associated with the company from committing fraud offences.
Undertaking comprehensive fraud risk assessments will therefore be an essential first step for companies to satisfy themselves that they have reasonable prevention procedures in place.
A company failing to demonstrate reasonable procedures will, if convicted, be liable to receive an unlimited fine.
The definition of a “relevant body” under the Act is a “body corporate or a partnership (wherever incorporated or formed)”. Note also that the Home Office's Impact Assessment states that a relevant body includes foreign companies with UK operations.
The Government’s factsheet on the new offence states that if an employee commits fraud under UK law, or targets UK victims, the employer could be prosecuted, even if the organisation (and the employee) are based overseas.
This suggests wide extraterritorial effect - meaning a company (whether based in the UK or abroad) could be liable if an associated person, again whether based in the UK or abroad, (i) commits a fraud offence in the UK or (ii) a fraud offence abroad which targets, impacts or causes harm to UK victims. That said, the extraterritorial reach is not as extensive as other failure to prevent offences, such as under section 7 of the Bribery Act, under which a foreign-incorporated company which carries on a business in the UK can be prosecuted for misconduct which takes place entirely overseas.
The company’s directors will not be liable - as the offence applies to companies only - although they may of course be prosecuted for the predicate fraud offence if they are implicated in the misconduct.
Although the Act has now received Royal Assent, the offence will come into force when the UK Government has published guidance on what it considers to be “reasonable fraud prevention procedures”. No timing on this is currently given.
Given that the SFO will be the main prosecuting authority for the new offence, it is worth mentioning that the Act also expands the SFO’s investigation powers. Existing pre-investigative powers under section 2A of the Criminal Justice Act 1987 will no longer be limited to suspected cases of international bribery and corruption. The expansion will allow the SFO to compel individuals and companies to provide information at the pre-investigation stage for all SFO investigations.
If you would like to find out more about what this new offence could mean for your company, how best to approach your assessment of risk, or update your existing policies and procedures, please get in contact with our team today.
Authored by Daniela Vella, Claire Lipworth, Olga Tocewicz, and Liam Naidoo.